Hi, In message <_A4382@delegate-en.ML_> on 02/27/09(17:22:56) you pdeiqbdyi-a5cwttaygk66.ml@delegate.org wrote: |> As long as I know, FTPS using port #990 applies SSL without any |> negotiation and nothing to do with RFC2228. | |It seems like the FTPS clients I tried (Filezilla and lftp so far) expect |an un-encrypted data channel by default. Given that lftp implements an |option "ftps:initial-prot" it seems like the authors are expecting a PROT |command to be supported on the server. I am just speculating (not having |read the source code for lftp) but my guess is that if delegate in FTPS |mode provided a PROT command, lftp in FTPS mode would try to use it. If so, it is a little strange that lftp sends PBSZ which is not listed in the response by DeleGate to the FEAT command. I tested just adding PBSZ and PROT to the list unconditionally but the behavior of lftp did not change [--1] And with "set ftps:initial-prot P", lftp starts SSL for data-connection without negotiation (without sending PROT) [--2] By the way, I uploaded DeleGate/9.9.2-pre4 with some modifications to improve support for FTPS. 1) timeout in SSL detection on FTPS data connection - to cope with FTPS clients with/without SSL for data-connection - the default timeout is 10 seconds - it is shorter (0.1 seconds) if specified as optional with STLS="-fcl" - it is yet shorter (0.01 seconds) with "PBSZ 0" and without "PROT P" - the timeout can be specified explicitly as STLS="fcl,im0.3" for example 2) support for "PROT C" - permitted if specified as optional with STLS="-fcl" 3) automatically allowing protocols for MOUNTed target server - explicit REMITTABLE="+,ftp" has become unnecessary 4) ending lines of MOUNTed banners with CRLF - recent lftp does not work if they end with LF only 5) don't split large status response into multiple SSL records - "Transmit3" stalls on such response And I noticed that recent lftp warns disconnection without SSL shutdown alert (although it is not rejected as in FileZilla) as [--3]. So I think it might be better to let "TLSCONF=shutdown" be enabled by default at least in FTP-DeleGate as [--4]. Cheers, Yutaka -- 9 9 Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/ ( ~ ) National Institute of Advanced Industrial Science and Technology _< >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan Do the more with the less -- B. Fuller --1 $ lftp -d ftps://192.168.1.1:9999 ... ---> FEAT <--- 211-Extensions supported <--- MDTM <--- SIZE <--- EPSV <--- EPRT <--- PBSZ <--- PROT <--- 211 END ---> USER anonymous <--- 331- Guest login ok, enter your E-mail address as password. <--- 331 Default value is: ? ---> PASS lftp@ <--- 230- Guest login ok, your E-mail address is <lftp@..> <--- 230 Now you can select a FTP SERVER by cd //SERVER ---> PWD <--- 257 "/" is current directory. ---> PBSZ 0 <--- 200 OK ---> PASV <--- 227 Entering Passive Mode (192,168,1,1,202,187). ---- Connecting data socket to (192.168.1.1) port 51899 ---- Data connection established ---> LIST <--- 150-- LIST for anonymous@ftp.delegate.org. ... <--- 150-- @ @ <--- 150 \( - )/ -- { connected to `ftp.delegate.org' } ... ---- Got EOF on data connection --2 ---> PBSZ 0 <--- 200 OK ---> CWD /pub <--- 250-- CWD for anonymous@ftp.delegate.org. ... ---> PASV <--- 227 Entering Passive Mode (192,168,12,254,202,213). ---- Connecting data socket to (192.168.12.254) port 51925 ---- Data connection established ---> LIST <--- 150 Opening ASCII mode data connection for LIST (583 bytes). Certificate: O=... --3 <--- 226 Transfer complete (111 bytes) gnutls_record_recv: A TLS packet with unexpected length was received.; assuming EOF ---- Got EOF on data connection ---- Closing data socket --4 *** dist/src/delegate9.9.2-pre4/src/delegated.c Thu Mar 5 23:13:55 2009 --- ./src/delegated.c Sat Mar 7 06:04:03 2009 *************** *** 6534,6539 **** --- 6534,6542 ---- } defineAdminSTLS(Conn); + if( streq(iSERVER_PROTO,"ftp") || streq(iSERVER_PROTO,"ftps") ){ + scan_TLSCONF(Conn,"shutdown"); + } if( getEnv(P_STLS) ) if( doneCRYPT == 0 && withDGA == 0 ){ sv1log("scan STLS and FILTERS before beDaemon()...\n");
V